b'                       U.S. DEPARTMENT OF ENERGY\n                      OFFICE OF INSPECTOR GENERAL\n\n\n                                  AUDIT OF\n\n                 DEPARTMENTAL INTEGRATED STANDARDIZED\n\n           CORE ACCOUNTING SYSTEM (DISCAS) OPERATIONS\n\n                        AT SELECTED FIELD SITES\n\n\nThe Office of Inspector General wants to make the\ndistribution of its reports as customer friendly and cost\neffective as possible. Therefore, this report will be\navailable electronically through the Internet five to seven\ndays after publication at the following alternative\naddresses:\n\n\n            Department of Energy Headquarters Gopher\n                     gopher.hr.doe.gov\n\n        Department of Energy Headquarters Anonymous FTP\n                    vm1.hqadmin.doe.gov\n\n        U.S. Department of Energy Human Resources and\n                    Administration Home Page\n                   http://www.hr.doe.gov/ig\n\nYour comments would be appreciated and can be provided on\nthe Customer Response Form attached to the report.\n\n\nThis report can be obtained from the\nU.S. Department of Energy\nOffice of Scientific and Technical Information\nP.O. Box 62\nOak Ridge, Tennessee 37831\n\n\nReport Number:     AP-FS-97-02        ADP and Technical Support Division\nDate of Issue:     June 6, 1997       Washington, D.C. 20585\n\n\n\n          AUDIT OF DEPARTMENTAL INTEGRATED STANDARDIZED\n           CORE ACCOUNTING SYSTEM (DISCAS) OPERATIONS\n                     AT SELECTED FIELD SITES\n\n\n                           TABLE OF CONTENTS\n\n                                                              Page\n\x0c           SUMMARY   . . . . . . . . . . . . . . . . . .   1\n\nPART I   - APPROACH AND OVERVIEW . . . . . . . . . . .     2\n\n           Introduction. . . . . . . . . . . . . . . .     2\n\n           Scope and Methodology . . . . . . . . . . .     2\n\n           Background . . . . . . . . . . . . . . . . .    2\n\n           Observations. . . . . . . . . . . . . . . .     3\n\nPART II - AUDIT RESULTS . . . . . . . . . . . . . . .      5\n\n           General Control Environment for DISCAS\n           Operations . . . . . . . . . . . . . . . . .    5\n\n           Application Controls for DISCAS\n           Operations . . . .. . . . . . . . . . . . .     7\n\x0c                    U.S. DEPARTMENT OF ENERGY\n                   OFFICE OF INSPECTOR GENERAL\n                    OFFICE OF AUDIT SERVICES\n\n\n          AUDIT OF DEPARTMENTAL INTEGRATED STANDARDIZED\n           CORE ACCOUNTING SYSTEM (DISCAS) OPERATIONS\n                     AT SELECTED FIELD SITES\n\n\nAudit Report Number:   AP-FS-97-02\n\n                              SUMMARY\n\n     The Government Management Reform Act of 1994 requires the\nDepartment to annually submit audited financial statements to the\nOffice of Management and Budget beginning with the statements to\nbe issued as of September 30, 1996. As part of a Department-wide\nfinancial statements audit, we reviewed operations and internal\ncontrols at selected field sites in order to assess the integrity\nand reliability of financial data processed through the\nDepartmental Integrated Standardized Core Accounting System\n(DISCAS). Our primary emphasis was placed on reviewing the\ngeneral control environment in which DISCAS operates to ensure\nthat application controls could not be rendered ineffective by\ncircumvention or modification. We also performed limited tests\nof application controls and data integrity to assist us in\nassessing the validity and reliability of data processed through\nDISCAS.\n\n     This report addresses certain matters involving the design\nand operations of DISCAS that could affect the Department\'s\nability to ensure that financial data is recorded, processed, and\nreported in a reliable manner. Specifically, at the three field\nsites audited, some weaknesses exist in the general and\napplication controls for DISCAS that could affect the reliability\nof data processed through the system. However, nothing came to\nour attention that causes us to believe that the system would\nintroduce significant distortions into the Department\'s financial\nstatements.\n\n     Management concurred with our findings and recommendations.\nManagement\'s comments are summarized in Part II of this report.\n\n\n                                     ___________________________\n\n                              PART I\n\n                       APPROACH AND OVERVIEW\n\n\nINTRODUCTION\n\n     The Government Management Reform Act of 1994 requires the\nDepartment to annually submit audited financial statements to the\n\x0cOffice of Management and Budget (OMB) beginning with the\nstatements to be issued as of September 30, 1996. As part of a\nDepartment-wide financial statements audit, we reviewed\noperations and internal controls at selected field sites in order\nto assess the integrity and reliability of financial data\nprocessed through the Departmental Integrated Standardized Core\nAccounting System (DISCAS).\n\nSCOPE AND METHODOLOGY\n\n     Our primary emphasis was placed on reviewing the general\ncontrol environment in which DISCAS operates to ensure that\napplication controls could not be rendered ineffective by\ncircumvention or modification. We also performed limited tests\nof application controls and data integrity to assist us in\nassessing the validity and reliability of data processed through\nDISCAS.\n     Our audit was primarily conducted at the Oak Ridge Financial\nManagement Division, Oak Ridge, Tennessee; the Albuquerque\nFinancial Service Center, Albuquerque, New Mexico; the Capital\nAccounting Center, formerly the Office of Headquarters Accounting\nOperations (OHAO); and the Headquarters Computing Facility,\nGermantown, Maryland. Our audit work was initiated in May 1996,\nand an exit conference was held with officials of the Office of\nChief Financial Officer (CFO) in March 1997.\n\n     We obtained and reviewed system documentation, prior system\nreviews, error (edit) reports and related reports and records.\nWe interviewed persons responsible for system design,\nmaintenance, and day-to-day operations, as well as system users.\nIn addition, we used both on-line access and computer assisted\naudit techniques to assist in our understanding of the general\nand application control environment in which DISCAS operates, and\nobserved the on-line processing of transactions to verify system\ncontrol and edit functions. We also compared system\ncharacteristics and operating procedures with applicable laws,\nregulations, and other requirements for Federal financial\nmanagement systems.\n\n     Our audit was performed in accordance with generally\naccepted Government auditing standards for financial audits.\nThis included tests of internal controls and compliance with laws\nand regulations to the extent necessary to meet the objectives of\nthe audit. Because our review was limited, it would not\nnecessarily have disclosed all internal control deficiencies that\nmay exist. Also, projection of any evaluation of the structure\nto future periods is subject to the risk that procedures may\nbecome inadequate because of changes in conditions or that the\ndegree of compliance with the policies or procedures may\ndeteriorate.\n\nBACKGROUND\n\n     DISCAS, as an integral part of the Departmental Primary\nAccounting System, was designed to provide DOE with a\nstandardized automated system that performs accounting and\nfinancial reporting functions consistent with both internal and\n\x0cexternal accounting policies and procedures, such as those\ncontained in the Department of Energy Accounting Handbook or\nissued by external organizations such as the OMB, the General\nAccounting Office (GAO), and the U.S. Treasury. It was designed\nto perform such functions as funds control, voucher processing,\nU.S. Treasury payment, accounts receivable, collections, cost\naccruals and reversals, travel, year-end closing, reimbursable\nwork, and invoice logging and tracking. The system also\nprovides monthly consolidation data to the Financial Information\nSystem (FIS) and/or Management Analysis Reporting System (MARS).\n\n     In addition to FIS/MARS, the following application systems\nalso interface with DISCAS, either through batch processing or\nmenu options:\n\n          Budget and Reporting Classification System.\n          Funds Distribution System (FDS).\n          Labor Distribution System.\n          Payroll/Personnel System.\n          Procurement and Assistance Data System.\n\n     DISCAS is intended to operate as an on-line, fully\ninteractive, Agency-level accounting system that uses standard\nhardware and software. The system contains eight modules,\nincluding budget and accounting. It operates on Hewlett-Packard\n(HP) 3000 Series computers, located at DOE Headquarters and field\nsites. DISCAS source programs, written in HP COBOL II, are pro\nvided to each site running the software. The Financial Systems\nDevelopment Division (FSDD)--located within the Office of\nDepartmental Accounting and Financial Systems Development, CFO--\nis responsible for central management of the system.\n\n     As of the end of Fiscal Year 1996, the system was in\noperation at 4 DOE sites with HP computers, and was being\nutilized by 18 different DOE organizations. The system is\ncurrently operational at the DOE Albuquerque and Oak Ridge\nOperations Offices, the Federal Energy Regulatory Commission and\nthe OHAO. The Idaho, Nevada, and Oakland Operations Offices are\noperational on the Albuquerque system. The Savannah River\nOperations Office, Richland Operations Office, Pittsburgh Energy\nTechnology Center, Rocky Flats Field Office, Ohio Field Office,\nthe Morgantown Energy Technology Center, and the Strategic\nPetroleum Reserve Project Office are operational on the Oak\nRidge system; and Pittsburgh and Schenectady Naval Reactors, the\nChicago Operations Office and the Departmental Accounting and\nAnalysis Division, within the Office of Departmental Accounting\nand Financial Systems Development, utilize the OHAO system.\nAlso, DISCAS is not utilized at the Department\'s Power Marketing\nAdministrations.\n\nOBSERVATIONS\n\n     This report addresses certain matters involving the design\nand operations of DISCAS that could affect the Department\'s\nability to ensure that financial data is recorded, processed, and\nreported in a reliable manner. Specifically, some weaknesses\nexist in the general and application controls for DISCAS that\n\x0ccould affect the reliability of data processed through the\nsystem. Instances were found where general controls relating to\nthe separation of duties; software changes; access; and\ncontingency and disaster recovery planning were not implemented\nin a manner to ensure that information resources were\nsufficiently safeguarded, and essential operations could be\ncontinued in case of an unexpected interruption. Also, instances\nwere found where application controls relating to validator\nprogram operation and difference resolution; and non-posting or\ninvalid transaction documentation were not implemented in a\nmanner to ensure sufficient control over the input and processing\nof data.\n\n     Overall, we do not believe that any of the     conditions at the\nfield sites audited would introduce significant     distortion into\nthe Department s financial statements. Because      our review was\nlimited, however, it would not necessarily have     disclosed all\ninternal control deficiencies that may exist.\n\n     Part II of this report provides additional details\nconcerning the audit results.\n\n\n                                 PART II\n\n                              AUDIT RESULTS\n\n\n     The following issues regarding the design and internal\ncontrol structure for DISCAS were identified during the course of\nthe audit and brought to management\'s attention.\n\n1.       General Control Environment for DISCAS Operations.\n\n     General controls apply to all computer processing carried\nout at a facility and are independent of specific applications.\nThey relate to organization; system design, development and\nmodification; and security. Weaknesses exist in the general\ncontrols for DISCAS that could affect the reliability of data\nprocessed through DISCAS. At the three sites established in the\nDepartment as consolidated service centers for DISCAS operations,\nwe found instances where general controls were not implemented in\na manner to ensure that information resources were sufficiently\nsafeguarded, and essential operations could be continued in case\nof an unexpected interruption. Specifically, our review\ndisclosed the following:\n\n     o   Certain organizational responsibilities and functions\n         surrounding DISCAS, such as application system operation/security\n         and payment and certification, were inadequately separated. For\n         instance, site personnel with capabilities for establishing\n         application access privileges also had capability to alter\n         financial information. Also, a computer system manager at one\n         site was also responsible for computer system security.\n\n     o   Each site had access to DISCAS source code and could\n         introduce changes into the system that were not approved and\n\x0c    documented in accordance with formal change control procedures.\n    From reports generated through the use of computer program\n    comparison software, we found instances of missing, excessive\n    and/or unapproved altered DISCAS core program source code in the\n    production accounts for the sites.\n\no   Continuity of operations for performing mission requirements\n    would be uncertain in event of non-availability of the site\n    computer systems due to a major service disruption or disaster.\n    At one site, no contingency agreement existed for an alternate\n    processing facility (i.e., hot site). At another site, prior\n    testing for contingency and disaster recovery disclosed that the\n    alternate processing site may not have sufficient resources to\n    meet processing needs.\n\no   Access to the computer and application systems was in excess\n    and/or inconsistent with site user needs. Menu privileges were\n    set up in the application system that allowed the same user to\n    enter, validate and certify a payment transaction, and a large\n    number of user accounts had never been logged into over a period\n    of six months or more. Agencies are required to establish,\n    evaluate, and maintain secure control environments for their\n    financial management systems. For example, Appendix III to\n    Title 2 "Accounting" of the GAO Policy and Procedures Manual\n    for Guidance of Federal Agencies states that systems must\n    include procedures and controls which protect hardware,\n    software, data, and documentation from physical damage by\n    accident, fire, and environmental hazards and\n    from unauthorized access whether inadvertent or deliberate.\n\n    These weaknesses, in our opinion, existed because the CFO\n    had not (1) provided sufficient uniform guidance on formal\n    procedural requirements for security controls relating to\n    DISCAS operations; (2) performed recent reviews to assess\n    the integrity and security of DISCAS programs and system\n    structure; and (3) provided for overall contingency and\n    disaster recovery planning to ensure continuity of DISCAS\n    operations. Security of data and access to the data are\n    relegated to the sites processing with the DISCAS application.\n    However, the CFO established requirements for site maintenance\n    of site security plans and provided general recommendations\n    on computer security access controls. We found, in some\n    instances, that formal procedures, at the sites, were outdated\n    in certain aspects and/or did not address security controls\n    relating to computer and application system operation, such\n    as specific security software parameter settings for the\n    computer system (e.g., automatic computer system log off\n    of user after a period of inactivity), and application and\n    computer system access control.\n\n    Also, within the organizational structure established for\n    DISCAS, organizational elements within the CFO had\n    responsibility for application system software programming,\n    analysis and change controls, and the performance of reviews\n    to assess application security and the integrity of core\n    software issued to the sites. However, a review to assess\n    application integrity and security of DISCAS programs and\n\x0c     system structure had not been performed by the CFO at the\n     consolidated service centers since 1994.\n\n     Improvements in the implementation of existing general\n     controls will enable the CFO to better ensure that (1)\n     financial data and programs are protected from unauthorized\n     access, (2) application controls will not be rendered\n     ineffective through circumvention or modification of\n     the general controls, and (3) mission functions such as\n     payment processing and financial information generation\n     can be continued in event of a major service disruption\n     or disaster. Our review, however, did not cause us to\n     believe that these conditions at the sites distorted\n     the results of information input or produced from the\n     application system.\n\nRecommendations\n\n     We recommend that the CFO:\n\n       1. Provide, through coordination with the consolidated\n       service centers, uniform guidance on formal procedural\n       requirements for security controls relating to DISCAS\n       operations, to include items such as specific security\n       software parameter settings, and application and computer\n       system access control;\n\n       2. Coordinate with the consolidated service centers on\n       formal contingency and disaster recovery planning to\n       ensure that the computer and DISCAS application systems\n       are available when needed to perform mission functions;\n       and\n\n       3. Establish plans or procedures for conducting more\n       frequent reviews to ensure the integrity and security of\n       DISCAS programs and system structure.\n\nManagement Comments\n\n     Management concurred with our finding and recommendations.\n\nAuditor Comments\n\n     Management\'s comment is responsive to our recommendations.\n\n2.   Application Controls for DISCAS Operations.\n\n     Application controls are those methods and procedures\ndesigned for each application to ensure the authority of data\norigination, the accuracy of data input, integrity of data\nprocessing, and verification and distribution of output.\nWeaknesses exist in the application controls for DISCAS that\ncould affect the reliability of data processed. At the three\nsites established in the Department as consolidated service\ncenters for DISCAS operations, application controls related to\nDISCAS operations were not implemented in a manner to ensure\nsufficient control over the input and processing of data.\n\x0cSpecifically, our review disclosed the following:\n\n  o   The DISCAS software contains validator programs that can be\n      used for (1) performing comparisons or reconciliation between\n      certain data elements across datasets (i.e., collection of data\n      records or entries) in the system, (2) detecting instances where\n      DISCAS files have not been completely processed, and (3) ensuring\n      that entered transactions have been completely processed.\n      However, certain core dataset validator programs in DISCAS were\n      not operating properly. Sites reported, for instance, that a\n      program comparing the trial balance dataset and a dataset\n      maintaining totals for reimbursable activities did not execute\n      properly (i.e., it ran in a continuous loop). Also, a program\n      for ensuring consistency between the general ledger dataset, a\n      summary dataset and a summary dataset maintaining totals by\n      budget and reporting code reported differences because of\n      comparison of a dissimilar data element (i.e., account code).\n\n  o   Differences generated from core dataset validator programs\n      were not being resolved on a regular basis by site personnel.\n      For instance, at one site, a report comparing funding\n      transactions and summary totals of payments by budget and\n      reporting code for fiscal year 1996 identified 345 differences,\n      such as unequal amounts and missing entries between the datasets,\n      that had not been resolved.\n\n  o   Review and disposition of non-posting or invalid\n      transactions is not documented by site personnel to ensure\n      ultimate transaction recording within the application system.\n      Agencies are required to establish controls to provide\n      reasonable assurance that the recording, processing, and\n      reporting of data is properly performed within the framework\n      of financial management systems. For example, Appendix III\n      to Title 2 "Accounting" of the GAO Policy and Procedures Manual\n      for Guidance of Federal Agencies prescribes that agency\n      systems must contain internal controls which operate to\n      prevent, detect, and correct errors and irregularities which\n      may occur anywhere in the chain of events from transaction\n      authorization to issuance of reports. The controls can be\n      generally thought of as covering the functions of transaction\n      authorization and approval, data preparation and validation,\n      input, communications, processing, storage, output, error\n      resolution and reentry of data, and file or data base\n      quality maintenance.\n\n      These weaknesses, in our opinion, existed because the CFO\n      had not (1) provided sufficient uniform guidance on formal\n      procedural requirements for application controls relating to\n      certain DISCAS operations; and (2) corrected core DISCAS\n      validator programs with problems. In addition, personnel at\n      the sites advised that resolution of differences generated\n      from core dataset validator programs overall had not been\n      a priority.\n\n      The CFO established requirements for site maintenance of\n      formal procedures for DISCAS operations in general. However,\n      formal procedures at the sites, either did not exist or did\n\x0c     not address control for application system operations, such\n     as review and resolution of non-posting or invalid transactions;\n     and validator program execution, review and resolution.\n     Without effective application controls for DISCAS, the CFO\n     cannot ensure that all DOE organizations are consistently\n     recording, processing, and reporting financial transactions\n     and events throughout the Department.\n\nRecommendations\n\n     We recommend that the CFO:\n\n       1. Provide, through coordination with the consolidated\n       service centers, uniform guidance on formal procedural\n       requirements for application controls relating to DISCAS\n       operations, to include items such as non-posting or\n       invalid transaction review and resolution, and validator\n       program execution, review and resolution; and\n\n       2. Initiate action to correct reported problems in\n       DISCAS core validator programs.\n\nManagement Comments\n\n     Management concurred with our finding and recommendations.\n\nAuditor Comments\n\n     Management\'s comment is responsive to our recommendations.\n\n                                       IG Report No. AP-FS-97-02\n\n\n                      CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in\nimproving the usefulness of its products. We wish to make our\nreports as responsive as possible to our customers\' requirements,\nand therefore ask that you consider sharing your thoughts with\nus. On the back of this form, you may suggest improvements to\nenhance the effectiveness of future reports. Please include\nanswers to the following questions if they are applicable to you:\n\n      1. What additional background information about the\n     selection, scheduling, scope, or procedures of the audit or\n     inspection would have been helpful to the reader in\n     understanding this report?\n\n      2. What additional information related to findings and\n     recommendations could have been included in this report to\n     assist management in implementing corrective actions?\n\n      3. What format, stylistic, or organizational changes might\n     have made this report\'s overall message more clear to the\n     reader?\n\n      4.   What additional actions could the Office of Inspector\n\x0c     General have taken on the issues discussed in this report\n     which would have been helpful?\n\nPlease include your name and telephone number so that we may\ncontact you should we have any questions about your comments.\n\n\nName_____________________________\nDate______________________________\n\nTelephone_________________________\nOrganization________________________\n\nWhen you have completed this form, you may telefax it to the\nOffice of Inspector General at (202) 586-0948, or you may\nmail it to:\n\n               Office of Inspector General (IG-1)\n               Department of Energy\n               Washington, DC 20585\n               Attn: Customer Relations\n\nIf you wish to discuss this report or your comments with a\nstaff member of the Office of Inspector General, please\ncontact Wilma Slaughter on (202) 586-1924.\n\x0c'